The Glider

Cisco recently released an update to their Industrial Ethernet 3000 (IE 3000) Series switches in which two software versions have a hard-coded SNMP address vulnerability. A workaround and software update is available. I would like to point out a detail in this advisory that seems pertinent given the industrial application of these devices. On the notification page is another advisory: Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment

--Tony Carothers (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Ubuntu has released a security advisory and update that fixes PAM. The vulnerable code would allow any user with local login privileges to escalate to root. http://www.ubuntu.com/usn/usn-959-1 It is recommended to upgrade immediately.
-Kyle Haugsness (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Juha-Matti was the first to write in with this article from Brian Krebs. The article explains how the Pirate Bay user database was compromised via SQLinjection. http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/
Of course, I am sure that none of our readers would have an account at the Pirate Bay except for the rare I'm doing security research purpose only. But you may want to drop a helpful hint to your friends.
-Kyle Haugsness (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

As more people seem to be releasing 0day vulnerabilities against Microsoft products, Iposted a new poll on the Microsoft-Spurned Researcher Collective. Give us your opinions. http://isc.sans.edu/poll.html?pollid=295 (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

If you have kids and you are at all familiar the classic children's board book Brown Bear, Brown Bear, What Do You See? authored by Bill Martin Jr and illustrated by Eric Carle, then you will understand that the subject of this diary is a tribute to that book and read in the same tone.
All good things should be used in moderation. The same goes for the social networking sites Facebook, LinkedIn, Twitter, etc. (There are plenty more...) Those that jump in and friend, connect, post, and share in excess may expose themselves if they are not aware of all of the consequences possible from using these sites.
The information you post and share on these sites are not only controlled by the companies that host it, but may also be available to a countless sized audience. There is an article posted on darkREADING yesterday that highlights some good reasons to show moderation when using social networking sites.



http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=225702468
There are many reminders through out the piece that your private information should NOT be shared on these sites.



So go back to each of your social networking sites and ask yourself the question:
What do I see?


--

Kevin Shortt

ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Drew, one of our readers, wrote us let us know about a new scam being used to spread malware - - well, ok, not so new, but certainly new to me and becoming more popular, enough that it should be on your radar.



Picture this - you're surfing away, and your phone rings. A person claiming to be from a support company or in some cases a Registered Microsoft Support Partner (note that Microsoft does not use this term, it's a made-up designation) tells you that you have a virus, and that for a few hundred in your favourite currency, they'll clean your computer for you. Of course, if this happened as a pop-up, you'd know it was a scam right? maybe? Your Antivirus might catch it, but if not, you'd probably close the window, or perhaps reboot your computer. But would you fall for the live operator on the phone? Would your parents, grandparents or other relatives? How about your manager? your CEO?
The attackers in these schemes have nothing but time to help you to install malware, remote desktop applications or really anything they feel would make their life easier.


After digging a bit, some of these scams seem to be run from locations in India (but most likely not all of them), but when they call your phone, they'll most likely have an area code in your country. They also take advantage of VOIP services to keep their costs low and profits high.



There is no good protection against things like this except for user education in security awareness. Especially in corporations, this should be an ongoing effort, and things like phishing, vishing, fake antivirus and the like should be presented to your user community for what they are as frequently as possible.



More info here == http://www.pcpro.co.uk/news/security/359233/the-unstoppable-tech-support-scam
and here ==http://www.pcpro.co.uk/news/security/356833/pensioner-targeted-by-fake-virus-phone-scam

=============== Rob VandenBrink, Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Seems to be ITunes accounts have been hacked to make mass purchases of one developer's app.
As a safety measure, I recommend to change your ITunes password ASAPand, if you feel paranoic like me, delete your credit card info from the account until this issue is clarified.
More information at: http://www.alexbrie.com/archives/205, http://thenextweb.com/apple/2010/07/04/app-store-hacked
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

XSS vulnerabilities are often underestimated, but they can sometimes be extremely dangerous. It looks as if couple of hours ago attackers started exploiting what looks like a stored XSS vulnerability on YouTube.
I don't want to go into details on how to exploit it until YouTube fixes it, but it indeed looks pretty widespread already. So far, all exploits I've seen just enter some benign HTML and are more of comment spam, but as this appears to be a full-fledged vulnerability things could get out of control easily unless this is fixed.
What could an attacker do? Well, they could steal your YouTube cookies, which probably doesn't mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube. I've seen nasty XSS attacks that are used to fake whole login screens and we know how many people use same passwords for multiple accounts.
We'll keep you informed on the development of this.
UPDATE
We received a lot of questions from our readers asking details about the vulnerability. Now that Google patched it, we can explain how it worked.
Stored XSS vulnerabilities allow an attacker to store valid HTML/JavaScript/VBScript code in the system. This is most often done through comment systems, such as was the case with YouTube, but can be in any field that the attacker can edit. For example, if you let a user enter his first and last name, and you don't properly filter/encode this data, once it is displayed back arbitrary script code can be executed. This is, obviously, particularly dangerous if an administrator is viewing attacker's profile as the script code will be executed under privileges of the administrator.
The backend comment application used by YouTube incorrectly encoded output data only the first entered tag was correctly encoded, so by supplying the comment with two scriptscript tags, the browser would get back the following: ltscriptgtscript. We can see here that the first tag is properly encoded and will be displayed by the browser as it is supposed to, but the second tag actually starts script code.
This incident shows how important it is to properly check every single point of your application that receives data from users, or displays it back to them. Besides correctly encoding data that is sent back to the browser, the script could have been fixed by also properly encoding data immediately after receiving it from the user.
Luckily for Google, the vulnerability has only been abused by various users to hide other comments they weren't really hidden, they just weren't displayed because the rendered HTML code was broken due to supplied malicious code.
As I said in the initial diary, vulnerabilities such as this one must not be underestimated. While typical examples of XSS vulnerabilities just show you how to popup an alert window, stealing cookies is just the first step it is actually pretty easy to display fake login forms that will look completely legitimate to users.
Before ending this diary, below you can see a screenshot of one exploit of YouTube that didn't just hide comments but also displayed a popup to the visitor.




--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

There is a vulnerability posted in June under CVE-2010-2225regarding a bug in the PHP SplObjectStorage. I found an excellent analysis made for this vulnerability, including a POC. More information at http://nibbles.tuxfamily.org/?p=1837#more-1837.
If you use PHP and a vulnerable version, find the patch at http://svn.php.net/viewvc?view=revisionrevision=300843.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

There is an interesting trend of malware: Javascript Malware inside PDFfiles.Many people have not updated their programs to read PDFfiles (I have seen personally people with Adobe Reader 5 on their computers) and so they are exposed to old exploits.
There is an interesting analysis posted by Kimberly (http://stopmalvertising.com/malware-reports/analysis-of-wzzc_pdf-exploitjspdfkacnk) that shows a Obfuscated Javascript inside a PDFfile taking advantage of CVE-2008-2992 and CVE-2009-0927. The Wepawet service (http://wepawet.iseclab.org) shows possible malware inside PDF files.
Please remember: if a new version for a software goes out and it does not affect your operation, please use it. It will help you to prevent future headaches.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.